From 15a37413b4baca91369132bcc64266b9291f41d8 Mon Sep 17 00:00:00 2001 From: Eike Rathke Date: Wed, 20 Feb 2013 00:08:07 +0100 Subject: [PATCH] do not access vector elements beyond size, rhbz#847519 related --- ...ctor-elements-beyond-size-rhbz-84751.patch | 79 +++++++++++++++++++ libreoffice.spec | 7 +- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch diff --git a/0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch b/0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch new file mode 100644 index 0000000..9f426a4 --- /dev/null +++ b/0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch @@ -0,0 +1,79 @@ +From e34b40bcd923027a26540e1a215c155ed0753472 Mon Sep 17 00:00:00 2001 +Message-Id: +From: Eike Rathke +Date: Tue, 19 Feb 2013 19:22:27 +0100 +Subject: [PATCH] do not access vector elements beyond size, rhbz#847519 + related +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="------------erAck-patch-parts" + +This is a multi-part message in MIME format. +--------------erAck-patch-parts +Content-Type: text/plain; charset=UTF-8; format=fixed +Content-Transfer-Encoding: 8bit + + +The actual bug (crash) is not triggered anymore because the categories +are assembled differently, nevertheless the code in question could +expose the same behavior under different preconditions. + +Change-Id: Ic37f6b34effaf4e5252e80aab46b021547b36efb +(cherry picked from commit d1ba2cd612a4c39976e2980c7dc4e3fa38c88470) +--- + chart2/source/tools/ExplicitCategoriesProvider.cxx | 24 ++++++++++++------- + 1 files changed, 15 insertions(+), 9 deletions(-) + + +--------------erAck-patch-parts +Content-Type: text/x-patch; name="0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch" +Content-Transfer-Encoding: 8bit +Content-Disposition: attachment; filename="0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch" + +diff --git a/chart2/source/tools/ExplicitCategoriesProvider.cxx b/chart2/source/tools/ExplicitCategoriesProvider.cxx +index e3d800f..00b481c 100644 +--- a/chart2/source/tools/ExplicitCategoriesProvider.cxx ++++ b/chart2/source/tools/ExplicitCategoriesProvider.cxx +@@ -353,11 +353,14 @@ Sequence< OUString > lcl_getExplicitSimpleCategories( + } + for( aOuterIt=rComplexCats.begin(); aOuterIt != aOuterEnd; ++aOuterIt ) + { +- sal_Int32 nCurrentCount = lcl_getCategoryCount( *aOuterIt ); +- if( nCurrentCount< nMaxCategoryCount ) ++ if ( !aOuterIt->empty() ) + { +- ComplexCategory& rComplexCategory = aOuterIt->back(); +- rComplexCategory.Count += (nMaxCategoryCount-nCurrentCount); ++ sal_Int32 nCurrentCount = lcl_getCategoryCount( *aOuterIt ); ++ if( nCurrentCount< nMaxCategoryCount ) ++ { ++ ComplexCategory& rComplexCategory = aOuterIt->back(); ++ rComplexCategory.Count += (nMaxCategoryCount-nCurrentCount); ++ } + } + } + } +@@ -389,12 +392,15 @@ Sequence< OUString > lcl_getExplicitSimpleCategories( + OUString aText; + for( aOuterIt=aComplexCatsPerIndex.begin() ; aOuterIt != aOuterEnd; ++aOuterIt ) + { +- OUString aAddText = (*aOuterIt)[nN].Text; +- if( !aAddText.isEmpty() ) ++ if ( static_cast(nN) < aOuterIt->size() ) + { +- if(!aText.isEmpty()) +- aText += aSpace; +- aText += aAddText; ++ OUString aAddText = (*aOuterIt)[nN].Text; ++ if( !aAddText.isEmpty() ) ++ { ++ if(!aText.isEmpty()) ++ aText += aSpace; ++ aText += aAddText; ++ } + } + } + aRet[nN]=aText; + +--------------erAck-patch-parts-- + + diff --git a/libreoffice.spec b/libreoffice.spec index 5db22af..c824187 100644 --- a/libreoffice.spec +++ b/libreoffice.spec @@ -47,7 +47,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.3 -Release: 7%{?libo_prerelease}%{?dist} +Release: 8%{?libo_prerelease}%{?dist} License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0 Group: Applications/Productivity URL: http://www.documentfoundation.org/develop @@ -263,6 +263,7 @@ Patch23: 0001-Work-around-problem-with-boost-shared_array-NULL-cto.patch Patch24: 0001-fix-compile-for-change-to-boost-1.53.0-declaring-sma.patch Patch25: 0001-fdo-60491-scp2-always-package-emboleobj-library-on-n.patch Patch26: 0001-Resolves-rhbz-895196-sc-filter-float-a11y-parent-of-.patch +Patch27: 0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch %define instdir %{_libdir} %define baseinstdir %{instdir}/libreoffice @@ -1012,6 +1013,7 @@ mv -f redhat.soc extras/source/palettes/standard.soc %patch24 -p1 -b .fix-compile-for-change-to-boost-1.53.0-declaring-sma.patch %patch25 -p1 -b .fdo-60491-scp2-always-package-emboleobj-library-on-n.patch %patch26 -p1 -b .rhbz-895196-sc-filter-float-a11y-parent-of-.patch +%patch27 -p1 -b .do-not-access-vector-elements-beyond-size-rhbz-84751.patch # TODO: check this # these are horribly incomplete--empty translations and copied english @@ -2079,6 +2081,9 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : %endif %changelog +* Wed Feb 20 2013 Eike Rathke - 1:4.0.0.3-8-UNBUILT +- do not access vector elements beyond size, rhbz#847519 related + * Tue Feb 19 2013 Caolán McNamara - 1:4.0.0.3-7 - Resolves: rhbz#895196 sc filter float a11y parent of itself